Updates via httpS

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
LinuxMintUsers
Level 1
Level 1
Posts: 1
Joined: Mon Mar 07, 2016 5:01 am

Updates via httpS

Post by LinuxMintUsers »

Is it possible to secure the updates? At the moment it's an invite for every badguy to infect Linux with malicious pakets. What are the possibilities to secure the Update process?
User avatar
xenopeek
Level 24
Level 24
Posts: 24862
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Updates via httpS

Post by xenopeek »

All updates are published accompanied by cryptographic hashes (MD5, SHA1, and SHA256) and those in turn are cryptographically signed (GPG) and can be verified with a public key of Linux Mint (or Ubuntu/Debian). Before updates are installed this information is used to securely verify the updates originate from Linux Mint (or Ubuntu/Debian) and have been downloaded without errors. HTTPS wouldn't make a difference for that, nor would it keep much information from your ISP or others on your local network. They can all see you connecting to the repository server even with HTTPS.

HTTPS could possibly be a remedy against MITM attacks, with an attacker for example pretending to be the server you get your updates from and serving you older versions of packages and withholding newer versions so your machine stays vulnerable to some attack. Attackers can't tamper with the packages themselves unless they have the private key of Linux Mint (or Ubuntu/Debian).

I don't know that either Ubuntu or Debian support HTTPS for their repositories. I know some other distributions do (Arch Linux and Fedora).
Image
ivan-the-idiot
Level 2
Level 2
Posts: 96
Joined: Thu Feb 25, 2016 9:59 am

Re: Updates via httpS

Post by ivan-the-idiot »

Serving up anything via HTTPS is trivial - get a cert, set it up, set up the webserver to server HTTP and HTTPS from the same directory.

But for apt updates, why bother? Remember, HTTPS is to secure communications while in-transit. Does nothing to verify the true file being downloaded, etc. As pointed out, the various packages in the various repos are GPG signed and *that* is what is verifying the security of the pacakges - not the delivery mechanism.
VoxelMints
Level 1
Level 1
Posts: 49
Joined: Sat Sep 08, 2018 6:20 pm

Re: Updates via httpS

Post by VoxelMints »

I was also hoping updates over https was possible. I block connections over port 80 and when I update I need to unblock it. I cringe at the fact someone snooping somewhere knows exactly when I update.

I've read some mirrors support https, they sync to the primary 'http only' Ubuntu server if I understand correctly but it's fine. I want to avoid all http connections from my pc if possible.
User avatar
xenopeek
Level 24
Level 24
Posts: 24862
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Updates via httpS

Post by xenopeek »

I'll repeat:
xenopeek wrote:
Mon Mar 07, 2016 7:37 am
HTTPS wouldn't [...] keep much information from your ISP or others on your local network. They can all see you connecting to the repository server even with HTTPS.
HTTPS does not keep secret the fact that you're updating.
Image
rene
Level 16
Level 16
Posts: 6681
Joined: Sun Mar 27, 2016 6:58 pm

Re: Updates via httpS

Post by rene »

xenopeek wrote:
Sun Sep 09, 2018 1:55 am
HTTPS does not keep secret the fact that you're updating.
Nor, in fact, what you are updating. The repositories being public anyway, simple automated filesize analysis gets you that information. Really hardly any point to HTTPS for apt.
gm10
Level 20
Level 20
Posts: 10999
Joined: Thu Jun 21, 2018 5:11 pm

Re: Updates via httpS

Post by gm10 »

VoxelMints wrote:
Sat Sep 08, 2018 7:32 pm
I was also hoping updates over https was possible. I block connections over port 80 and when I update I need to unblock it. I cringe at the fact someone snooping somewhere knows exactly when I update.

I've read some mirrors support https, they sync to the primary 'http only' Ubuntu server if I understand correctly but it's fine. I want to avoid all http connections from my pc if possible.
Switch to a mirror that supports https, then edit /etc/apt/sources.list.d/official-package-repositories.list and /etc/apt/sources.list.d/official-source-repositories.list to change references to http:// to https:// instead.

Note that you'll have to manually change the -security repo to use your mirror. By default this does not use a mirror to ensure you get timely security updates even if your mirror goes stale. So keep that in mind when choosing a mirror.

Further note that you cannot switch the partner repository to https but you can just disable it if you're not using the adobe-flashplugin package. Flash needs to die, so easy choice.

If your apt version is < 1.5 you'll need to install the apt-transport-https package.
VoxelMints
Level 1
Level 1
Posts: 49
Joined: Sat Sep 08, 2018 6:20 pm

Re: Updates via httpS

Post by VoxelMints »

Cool Thanks hopefully I can get this working!

I don't consider myself an advanced computer user, maybe above average but I believe there are certain situations that become harder for some admin or highly skilled computer user somewhere to snoop on what I'm doing.

I mean would't updating over https keep a malware infected router from intercepting or even blocking updates? I think about situations like this.
gm10
Level 20
Level 20
Posts: 10999
Joined: Thu Jun 21, 2018 5:11 pm

Re: Updates via httpS

Post by gm10 »

VoxelMints wrote:
Sun Sep 09, 2018 3:12 pm
I mean would't updating over https keep a malware infected router from intercepting or even blocking updates? I think about situations like this.
It could still block the entire connection but not individual updates, yep.
Post Reply

Return to “Newbie Questions”